Glen E. Clarke

CompTIA PenTest+ Certification For Dummies


Скачать книгу

the adversary tier with script kiddies at the bottom of the skillset and APT at the top.

A triangle summarizing the adversary tier in which threat actors are ranked based on their threat level and capabilities, with script kiddies at the bottom of the skillset, hacktivist, insider threat and finally APT at the top.

      Graphic designed and created by Brendon Clarke.

      Threat modeling

      Penetration testing typically involves an exercise known as threat modeling. Threat modeling refers to the act of documenting company assets and then defining the types of attacks or threats against those assets. The threats are then assigned a likelihood (the chances the attack will happen) and impact (how serious the result of the attack if successful) so that the threats can be prioritized. Based on the priority of the threats, security professionals put security controls in place to prevent those threats from occurring or to minimize the impact.

      The CompTIA penetration testing process involves four major phases:

      1 Planning and scoping

      2 Information gathering and vulnerability identification

      3 Attacks and exploits

      4 Reporting and communication

      Planning and scoping

      The first phase of the penetration testing process is planning and scoping. This phase is important as it is when you identify the goals of the penetration test, the timeframe, and the rules of engagement (the types of attacks you are allowed and not allowed to perform during the pentest).

      The planning and scoping phase should start with a pre-engagement meeting that determines the extent of the penetration test, such as whether the testing will include internal and external assets. In this phase, you will also determine what systems need to be tested, the best time for testing, and the types of attacks that are allowed and not allowed.

      An important part of the planning and scoping phase is to create a statement of work that specifies exactly what is to be tested and to get written authorization from a person of authority for the business that gives you permission to perform the penetration test. Remember that attacking and exploiting systems without prior authorization is illegal.

      Fortheexam For the PenTest+ certification exam, remember to get written authorization from an authorized party such as the company owner or an upper-level manager before moving on to phase two of the penetration testing process.

      Chapter 2 covers planning and scoping.

      Information gathering and vulnerability identification

      The second phase of the penetration testing process is the information gathering and vulnerability identification phase, which is also known in other pentest models as the “reconnaissance phase.” This phase can be broken into two subphases: information gathering as the first subphase, and vulnerability identification as the second subphase.

      Information gathering

      The information gathering part of the penetration test is a time-consuming part of the penetration test. It involves both passive and active information gathering.

      Active information gathering involves using tools to communicate with the company’s network and systems to discover information about its systems. For example, doing a port scan to find out what ports are open on the company’s systems is considered active because in order to know what ports are open on each system, you have to communicate with those systems. Once you start communicating with the company’s network, you risk detection, which is why these techniques are categorized differently than passive information gathering techniques. Note that active information gathering is also known as active reconnaissance.

      Vulnerability identification

      Once the information gathering subphase is complete, you should now have a listing of the ports open on the system and potentially a list of the software being used to open those ports. In the vulnerability identification subphase, you research the vulnerabilities that exist with each piece of software being used by the target. Vulnerability identification also involves using a vulnerability scanner to automate the discovery of vulnerabilities that exist on the target networks and systems.

      Chapters 3 and 4 cover information gathering and vulnerability identification.

      Attacks and exploits

      The third phase of the penetration testing process is to perform the attacks and exploit systems. In this phase, with knowledge of the vulnerabilities that exist on the targets, you can then break out the penetration tools to attack and exploit the systems. This involves social engineering attacks, network attacks, software attacks such as SQL injection, and wireless attacks against wireless networks.

      Once a system is compromised, you can then perform post-exploitation tasks, which involve collecting more information about the system or planting a backdoor to ensure you can gain access at a later time.

      Chapters 5 through 10 cover attacks and exploits.

      Reporting and communication

      The fourth and final phase of the penetration testing process is reporting and communication. These tasks are the reason the penetration test was performed in the first place: to report on the findings and specify remediation steps the customer can take to reduce or eliminate the threats discovered.

      During this phase, you will write a report of the actions you performed during the penetration test and the results of the testing. You will also include recommendations on how to better secure the systems in the report. The report will be delivered to the customer in the sign-off meeting, and the customer will sign-off on the completion of the penetration test.

      Chapter 11 covers reporting and communication.